FROMGIT: binder: fix BUG_ON found by selinux-testsuite

The selinux-testsuite found an issue resulting in a BUG_ON()
where a conditional relied on a size_t going negative when
checking the validity of a buffer offset.

(cherry picked from commit 5997da82145bb7c9a56d834894cb81f81f219344
 git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git
 char-misc-linus)
Bug: 67668716
Bug: 129336614
Change-Id: Ib3b408717141deadddcb6b95ad98c0b97d9d98ea
Fixes: 7a67a39320df ("binder: add function to copy binder object from buffer")
Reported-by: Paul Moore <paul@paul-moore.com>
Tested-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Todd Kjos <tkjos@google.com>

diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 94e2872cff03da168f82aad97e0bd277e8ffa8b1..36ad7483424c0147cf7d020dc0174addfb4499d6 100644 (file)
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -2239,7 +2239,8 @@ static size_t binder_get_object(struct binder_proc *proc,
        size_t object_size = 0;
 
        read_size = min_t(size_t, sizeof(*object), buffer->data_size - offset);
-       if (read_size < sizeof(*hdr) || !IS_ALIGNED(offset, sizeof(u32)))
+       if (offset > buffer->data_size || read_size < sizeof(*hdr) ||
+           !IS_ALIGNED(offset, sizeof(u32)))
                return 0;
        binder_alloc_copy_from_buffer(&proc->alloc, object, buffer,
                                      offset, read_size);